For better or worse, the cloud has become a mainstay for organizations of all sizes. The flexibility and low upfront costs associated with cloud services has proved a temptation too great for many to pass up. Add to the mix consumerization’s intrepid march into the enterprise and you end up with a cloud free-for-all that has left few organizations unscathed. Yet the initial cloud offerings were based on a public model; that is, any individual or company could subscribe to these services, which meant shared resources, lack of control, and the potential for compromised information.
For IT types, such an arrangement raised its fair share of red flags, particularly with regard to protecting privacy and securing data. Yet the cloud tide could not be held back. As a result, some organizations turned to private cloud solutions in order to better secure and control their environments and its data. Unfortunately, private clouds don’t come cheap and they lack much of the flexibility inherent in the public model, often subverting the spirit of the public cloud arrangement and leading to complex and resource-intensive implementations.
Not satisfied with either the public or private cloud as a sole solution, organizations are now turning to a new model, the hybrid cloud, which promises to merge the two worlds into a unified system that taps into the agility of the public cloud while leveraging the private cloud to protect sensitive resources. With such a system, you get the best of both worlds without the limitations associated with either. Or so it seems. But before you start evangelizing the hybrid model to your CFOs and CIOs and COOs and CEOs, you better take a closer look. Even the hybrid cloud, in all its redemptive splendor, is not without its challenges.
The Cloud Promise
Although the roots of cloud computing can be traced back to the 1960s, the ’90s are when the trend really took hold, with the 1999 launch of Salesforce.com being one of the most notable milestones. Since then, cloud computing has seen almost unprecedented growth. Yet for many, “the cloud” remains an ambiguous concept, referring broadly to any computing services delivered via the Internet, a definition that can apply to hosted desktops or online shopping carts or your neighbor’s blog about garden pests.
In an effort to clarify the concept of “cloud computing,” the US National Institute of Standards and Technology (NIST) published an official definition, which outlines five essential characteristics of the cloud model:
- On-demand self-service: Subscribers can provision computing services without requiring human interaction with the service provider.
- Broad network access: Services are available from multiple devices via a network, most notably, the Internet.
- Resource pooling: Computing resources are pooled in a multi-tenant model and shared by multiple subscribers.
- Rapid elasticity: Subscribers can rapidly provision computing services based on their immediate needs.
- Measured service: The service provider has in place the metering capabilities necessary to automatically control and optimize resource usage.
The NIST definition then goes on to define three basic service models:
- Software-as-a-service (SaaS): An application running as a service within a provider’s cloud infrastructure and accessible from remote client applications such as web browsers.
- Platform-as-a-service (PaaS): A platform for deploying cloud-based applications for public or private consumption.
- Infrastructure-as-a-service (IaaS): The infrastructure necessary to provision computing resources such as processors, networks, and storage.
This, of course, is only a brief overview of cloud computing’s characteristics and service models. For more detailed descriptions, see the publication “The NIST Definition of Cloud Computing.”
Regardless of the subtleties of how cloud computing might be defined, what’s important here is the emphasis on such characteristics as on-demand self-service, broad network access, resource pooling, and rapid elasticity, all traits we’ve come to expect with public cloud offerings. Think Rackspace. Think Heroku. Think Google Apps.
Public cloud services have been enticing consumers and business alike with their many seductive advantages over in-house solutions. They can be quickly implemented with relatively little upfront cost. The service provider sets up the system and takes care of ongoing maintenance, providing a ready-made solution that’s packaged as SaaS, PaaS, or IaaS. In many cases, cloud services are more reliable than in-house solutions because the provider supports multiple redundant sites. The cloud also makes it easier to scale out or scale in a system as needed, without investing in costly hardware and software that you might need only part of the time. Even security can sometimes be better with a cloud service than what currently exists within an organization.
Public cloud services also offer a number of other advantages and can serve as flexible and cost-effective alternatives to in-house solutions. Even so, some organizations might not be able to use these services because of regulatory or legal constraints. For example, in highly regulated industries such as banking or health care, use of public cloud services might be expressly prohibited, or a country’s laws might forbid data from being hosted outside that country. And even if using the public cloud is not specifically prohibited, concerns abound around issues of privacy when data is stored on a public facility. Does the service provider assume ownership over the data? Could a rogue employee steal or destroy that data? Is the NSA snooping into everyone’s personal data?
A public cloud service might also be more prone to outside security threats because if its high profile, and some providers might not implement the same layers of protection you can achieve in-house. Plus, if something goes wrong, you have no way of controlling how and when a response is carried out, and it’s highly unlikely you’ll have access to such information as the security and system logs in the event your data is compromised. In fact, IT loses most of its control with these services. The provider can update software, change configuration settings, and allocate resources without your input or your blessing. You must conform to the environment and standards implemented by the provider or find yourself another service.
Taking Control with the Private Cloud
Because of concerns about security, compliance, and operational control, some companies have shied away from the public cloud and gone with private clouds, which provide more visibility into their business processes. The primary difference, at least conceptually, between a private cloud and public cloud is that the private cloud is operated solely for a single organization. The infrastructure itself might be physically hosted in-house or with a third-party vendor, or it might be managed internally or by an outside service. Whatever the mix, the private cloud remains the domain of that one organization for use only by its own users, whether employees, contractors, partners, clients, or other types of associates.
The private cloud offers many of the same benefits as the public cloud, but with more control and better security. You decide how to implement system protections, manage privacy, audit operations, and perform ongoing maintenance. You also determine how to customize your hardware and software as well as when to apply patches and updates. In addition, a private cloud can often offer better performance than a public service because you’re not competing for system and network resources.
Unfortunately, such control does not come cheap. You have to come up with the capital necessary to procure the hardware and software needed to implement the platform. You also need the personnel to plan, implement, and maintain the system. These are complex infrastructures that require a high degree of technical expertise.
In addition, you must take into account such issues as energy costs and short and long range capacity planning. You don’t have the luxury you do with the public cloud to simply scale out your systems when necessary or pull them back in when not needed, not without a significant investment. You also have to account for data storage now and in the future, not only in terms of hosting and moving the data, but also with regard to ensuring that it’s fully protected and properly maintained throughout its lifetime. A private cloud is a serious, long-range investment; you can’t simply test the waters like you can with the public cloud.
Striking a Balance with the Hybrid Cloud
To address the limitations inherent in private and public clouds, while at the same time reaping their benefits, many organizations are turning to the hybrid model, an integrated solution that utilizes both types of services. A hybrid cloud can incorporate multiple private and public clouds or simply comprise one of each. As long as the solution bridges together at least two types of cloud services, it is considered hybrid. In fact, the hybrid cloud can even incorporate the community cloud, a type of cloud service that provides an infrastructure shared by two or more organizations to serve a common purpose, such as the BT for Life Sciences R&D platform.
In a hybrid solution, the individual cloud services remain distinct entities, even if hosted by the same provider. The hybrid structure lets you to extend the capabilities of one cloud service by integrating it with another service. In this way, you can leverage the security and control benefits of the private cloud, while still taking advantage of the flexibility and cost-savings of the public cloud, using the public service when and where it’s most appropriate. This approach can be especially beneficial to the organization with diverse application needs and fluctuating business demands.
Organizations that look to a hybrid solution often start by hosting their mission-critical applications on the private cloud. These might include proprietary or line-of-business solutions or solutions where security and governance are paramount. Less critical apps, particularly those where usage is highly variable, are often better suited to a public service. Organizations can mix-and-match services however they deem necessary. Regardless of the approach, the hybrid solution always allows for sensitive data to be retained within the privately hosted environment, while supporting an integrated solution that can expand into the public cloud, thus providing flexibility and cost-savings.
Despite the integrated nature of the hybrid solution, the public and private cloud services operate independently of each other. Data is transferred between the two environments via an encrypted connection that facilitates application portability. In this way, the sensitive data remains protected in the private cloud with minimum exposure to risk, while still taking advantage of the computing resources available to the public environment. Note, however, there is still some debate as to what constitutes a hybrid cloud. In the strictest sense, it is the integration of two or more types of cloud services, usually at least one private and one public. This definition precludes the idea that simply connecting in-house services, applications, data stores or dedicated servers to a public cloud service constitutes a hybrid solution. Some would argue otherwise.
We can leave it to them to battle it out, but for now, let’s assume we’re talking specifically about connecting at least one private cloud to at least one public cloud. Even though these services remain separate entities, the goal of the hybrid model is to create a unified solution that joins the two environments into a single platform that leverages the best of both worlds.
To this end, each cloud service includes touch points that bind it to the other service in order to facilitate data movement and, in the process, provide the hybrid framework, which in this sense is as much conceptual as it is physical. In other words, you’re not creating a third entity that you can point to and call the “hybrid” component. That said, we’re seeing a rise in cloud service brokerages that act as intermediary system integrators that mange and coordinate efforts between the two services. Larger organizations might even choose to set up their own system integrators to coordinate these efforts. In this sense, we have our hybrid component.
There is no shortage of ways in which an organization might use the hybrid cloud model to meet its business needs. They can:
- Temporarily expand the capacity of its private cloud to meet an unexpected demand by offloading computing tasks to the public cloud.
- Host an e-commerce site in the private cloud, but provide catalog information in the public cloud.
- Perform sensitive analytics in the private cloud, but use a public cloud service to gather additional, non-sensitive data to incorporate into the analytics.
- Store sensitive client data in the private cloud, but use the public cloud to collaborate with clients on project planning documents.
- Host financial applications and data in the private cloud, but use a public cloud to manage workflow and handle email.
- Maintain the bulk of a development effort in the private cloud, but temporarily offload massive capacity testing to the public cloud.
- Conduct secure transactions within the private cloud, but temporarily offload compute-intensive analytical operations to a public service.
No doubt we could come up with lots more scenarios, but in the end, the way in which an organization utilizes the hybrid model will depend on its individual business requirements and the systems it already has in place. However, before you decide on the various ways you can use the hybrid cloud within your organization, it might help to have more specifics on why the model might be a good fit.
The Hybrid Advantage
When proponents of the hybrid cloud list their litany of reasons for embracing this model, they almost always point first to the flexibility provided by bridging the private and public clouds. Rather than having to choose between the two models, an organization can now move seamlessly between them. As with a private cloud, you design and implement your own cloud solution, tapping into the public cloud only when it best serves your business needs. Of course, you lose a certain measure of control for anything implemented in the public cloud, but you get to pick and choose the extent to which you relinquish that control and can do so on an as-needed basis, expanding into and out of the public environment in the most expeditious and cost-effective way possible. This can be ideal for the applications that need to scale out or in on a regular basis in order to meet fluctuating business demands.
The hybrid model also lets you take baby steps into the public cloud. For example, if your business has already implemented a private cloud, you can experiment with offloading one of your low-risk, resource-intensive apps to a public service. In this way, you get to test the vendor and the public cloud structure before committing business-critical applications. A public platform also lets you test new technologies to determine how well you’ll be able to integrate them with your current systems and how suited they’ll be to a cloud implementation. This lets you access massive computing resources without having to disrupt your private cloud operations or make deep investments in upgrading that infrastructure. The hybrid model offers a much greater degree of flexibility than what’s available to the private cloud alone.
By moving from a private cloud to a hybrid model, an organization can also benefit from the availability and reliability often supported by public services, where systems are geographically dispersed and redundancy built in to handle disaster recovery. Although these types of features can be incorporated into the private cloud, such operations can be costly and resource-intensive to implement on a large scale, something the public cloud is already built for. At the same time, the hybrid model can augment the public cloud by using various types of optimization techniques, such as caching data, adding write operation timestamps, or making use of such technologies as the representational state transfer (REST) abstraction architecture.
For organizations that have been relying solely on public cloud services, the hybrid model also offers security advantages because sensitive data can be better controlled by moving it to the private side of the hybrid equation, while still being able to leverage the computing resources available to the public cloud. The hybrid model makes it much easier to comply with regulations that govern privacy and security as well as adhere to company policies around privacy and security. All data transferred between the private and public environments is fully encrypted and supported with advanced authentication techniques. Data at rest can also be fully encrypted within the private space and protected according to in-house standards.
The hybrid model can also prove a cost-effective strategy for the organization looking to cut expenses. (And what organization isn’t?) Because of the flexibility inherent in the hybrid model, a company can utilize the public cloud for non-critical operations, thus reducing the implementation and maintenance costs associated with a private system. Public cloud offerings are usually subscription-based, pay-as-you-go services, which means you pay for only the services you need, without a heavy-duty investment in a system you might fully utilize only a couple times a years. In many cases, the more operations you can offload to the public cloud, particularly common commodity operations, the more you’re likely to save, when compared to the costs of running your own private cloud, which requires ongoing maintenance and updating. With a public could, you also bring in a level of expertise you might not have available in-house. At the same time, the private component of the hybrid model can make budget and resource allocation more predictable because it gives you more control than with public services alone.
Control, in fact, is one of the essential characteristics of the hybrid model, despite the public component. For critical operations, IT still oversees such issues as hardware selection, software configuration, system design, and how security is implemented. In this way, IT can tailor its operations to meet the organization’s needs, rather than tailoring the operations to conform to a public platform. No applications or data need ever be released to a public venue that would put the organization at undue risk.
All That Glitters…
Clearly, the hybrid cloud has plenty to offer. You get to do what you want when you want to do it, without having to pigeonhole yourself into any one-cloud model. Unfortunately, going from talking about the hybrid model to actually implementing it is no small task. Think about what it actually means to bridge a private cloud and a public cloud. You must integrate software components and data protection systems and storage platforms across multiple services. You must integrate business applications and management tools from one end to the other. You must integrate legacy systems that require handholding throughout the workflow process.
Yet integration at the systems and application levels is just one of the challenges. The hybrid cloud requires a sophisticated network configuration that can transfer data securely and transparently between systems, while providing a seamless, reliable user experience across platforms. Implementing such a network can be an extremely complex undertaking, particularly for larger, geographically dispersed organizations. Not only must you ensure a fast and reliable network, but you must also have in place the failover capabilities necessary to handle any sort of network outage. This, of course, points to the platform’s overall architecture and the need for redundancy throughout to protect against system and network failures, all of which adds to the increasing complexity of the hybrid platform. The last thing you want is implement an unreliable system that contributes to data latency between environments and subsequently impacts application performance.
Then there’s the issue of application and data security. Among other components, you must implement an identity framework that works across the various platforms. In addition, all operations must comply with legal regulations and company policies to ensure that privacy is preserved and sensitive information protected. This will require a governance framework to facilitate centralized control of privacy and security issues.
In addition, all data at rest and in motion must be encrypted, with the encryption keys properly stored and managed. Although the hybrid model offers advantages over the public cloud in terms of security, data moving between platforms and within the public cloud environment are still at risk. In addition, connecting to the public cloud can provide a conduit into your private environment that can put your entire operation in jeopardy. Any data transferred across a network is subject to third-party eavesdropping and interference, so it must be protected at all costs. On the other hand, it’s not unusual for an organization to discover that a public cloud service has actually implemented a more robust security strategy than what has been implemented in-house, leaving the private cloud the weakest security link in the system. A hybrid solution requires a thorough review of all your current security precautions and a carefully planned strategy for moving into the hybrid cloud.
An organization often uses public cloud services because it can offload much of its implementation and maintenance workloads. Indeed, one of the downsides of the private cloud is that it can bring that work back in-house. Yet if you think a private cloud is a big deal, wait till you get to the hybrid environment. Suddenly you’re faced with managing workloads across multiple environments and diverse architectures. That means implementing, integrating, and maintaining individual systems, applications, data stores, networks, and all other components that make these environments work. Add to this challenge the risks of the public cloud provider patching, upgrading, or reconfiguring its services, and you could be faced with an administrative nightmare. Even if you implement a hybrid ecosystem such as vCloud or OpenStack, you still face implementation and maintenance tasks that far exceed what you get with only a private cloud. On top of this, you must implement an end-to-end monitoring system that tracks the entire hybrid platform.
What all these infrastructure and network and security and administrative considerations boil down to is that a hybrid solution is not going to be cheap. If your organization has been sticking with the public cloud up till this point-or no cloud at all-the hybrid model brings with it all those expenses that come with the private cloud, plus the added hybrid-related costs. You might have to invest in server, storage, and network equipment to ensure you have the necessary capacity and bandwidth. You’ll also need the technical expertise to help design and implement such a system. And what about ongoing maintenance and hosting costs? All this could add up to a substantial investment, especially if you’re supporting hundreds of applications and massive amounts of data.
Even if you’ve already implemented a private cloud, there will still be costs associated with extending into the hybrid world. In addition, the promise of potential savings through a public service might not be realized if your business model isn’t the right fit and cannot take full advantage of the cloud’s flexibility and implementation features. Whatever path you’re considering, you should first do a careful cost analysis to ensure you’re on the right track. Building a hybrid cloud, or even just a private cloud, is no small undertaking and should not be taken lightly.
Having One’s Cake
Despite the challenges of the hybrid cloud, it still offers plenty of benefits. Just be sure you know what you’re getting into if you plan to implement such a solution, and be sure to seek out the expertise you need before embarking down this path. You must develop a well-defined roadmap that takes into account both short-term and long-term needs, weighed against your requirements for performance, availability, security, costs, and all other pertinent considerations. Moving to a hybrid model-or any cloud solution-often requires a shift in thinking on the part of IT in terms of how systems are implemented and services provided. Yet with the right planning and preparation, the hybrid system can provide a safe and cost-effective system for efficiently delivering application and data services to the people who need them. True, the hybrid cloud might inherit many of the challenges inherent in private and public clouds, but it also inherits many of their benefits.